Re: [ossec-list] active response not working for frequency and SSH

Mon, 14 Jan 2013 07:25:05 -0800 


Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het volgende:
>
> On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es 
> <[email protected]<javascript:>> 
> wrote: 
> > Hello, 
> > 
> > We want to firewall-drop failed logins with SSH after 3 failed 
> passwords. 
> > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) 
> for 
> > the commands and active responses: 
> > 
> > 
> >   <command> 
> >     <name>host-deny</name> 
> >     <executable>host-deny.sh</executable> 
> >     <expect>srcip</expect> 
> >     <timeout_allowed>yes</timeout_allowed> 
> >   </command> 
> > 
> >   <command> 
> >     <name>firewall-drop</name> 
> >     <executable>firewall-drop.sh</executable> 
> >     <expect>srcip</expect> 
> >     <timeout_allowed>yes</timeout_allowed> 
> >   </command> 
> > 
> >   <command> 
> >     <name>disable-account</name> 
> >     <executable>disable-account.sh</executable> 
> >     <expect>user</expect> 
> >     <timeout_allowed>yes</timeout_allowed> 
> >   </command> 
> > 
> >   <command> 
> >     <name>restart-ossec</name> 
> >     <executable>restart-ossec.sh</executable> 
> >     <expect></expect> 
> >   </command> 
> > 
> >   <active-response> 
> >     <command>restart-ossec</command> 
> >     <location>local</location> 
> >     <rules_id>510010</rules_id> 
> >   </active-response> 
> > 
> >   <active-response> 
> >     <disabled>no</disabled> 
> >     <command>host-deny</command> 
> >     <location>local</location> 
> >     <rules_id>2502,5720</rules_id> 
> >     <timeout>1800</timeout> 
> >   </active-response> 
> > 
> >   <active-response> 
> >     <disabled>no</disabled> 
> >     <command>firewall-drop</command> 
> >     <location>local</location> 
> >     <rules_id>2502,5720</rules_id> 
> >     <timeout>1800</timeout> 
> >   </active-response> 
> > 
> > 5720 is using 5716 in sshd_rules.xml for multiple failed logins 
> (frequency 
> > is 6). 
> > I restarted the ossec-hids on the manager and tried logging in with a 
> known 
> > and unknown account and with both scenario's the srcip is not being 
> blocked 
> > after 6 times within 30 seconds. 
> > 
> > Am I missing something? 
>
> >>frequency=6 means 8 attempts. 
>
> Even after 100 tries it still does not do anything with only 5720.
The 5716 rule is working correctly and blocking after 1 failed attempt, the 
frequency set for 5720 does nothing.
Does anyone have a sample SSH active response config for ossec 2.6 which I 
can test and try?

Michiel

Reply via email to